Get up to 33% off MSRPwhen you buy 3-yearsubscriptions.

Multiple Vendor kadmind Remote Buffer Overflow Vulnerability

Risk

High

Date Discovered

October 21, 2002

Description

A vulnerability has been discovered in the kadmind daemon.
It has been reported that kadmind is vulnerable to a remotely exploitable buffer overflow. This issue is due to insufficient bounds checking. Exploiting this issue could potentially allow an attacker to execute arbitrary code with the privileges of the kadmind process.
This issue is reported to exist in the Kerberos 4 administration protocol. Kerberos 5 includes support for the Kerberos 4 administration daemon. Various Kerberos implementations are reported to be affected by this vulnerability.
There are reports that this vulnerability is being actively exploited in the wild.

Run all software as a nonprivileged user with minimal access rights.

When possible, run server process as low privileged users to limit the consequence of exploitation.

Disable any unneccessary default services.

Disable all services not explicitly required by the system. Disable the Kerberos 4 administration protocol if it is not needed.

CERT has released an advisory which contains information about various vendors and implementations that are reported to be affected by this vulnerability.
CERT has released a followup advisory which retracts information about the applicability of Debian Security Advisory DSA-178 and associated fixes. SuSE Security Advisory SuSE-SA:2002:034 also does not address this issue.
Debian has released Debian Security Advisory DSA 183-1 which does address this issue for affected MIT Kerberos 5 packages that ship with Debian GNU/Linux 3.0 alias woody. Information on obtaining fixes may be found in the referenced advisory.
NetBSD has released an advisory. NetBSD-current, NetBSD 1.6 and NetBSD 1.5 branches dated 2002-10-22 and later have fixes for this vulnerability. Users are advised to upgrade the crypto/dist/heimdal/kadmin directory in CVS. Further information is available in the referenced advisory.
FreeBSD have addressed this issue as of October 23rd, 2002 for the base Kerberos 4 (kadmind) and Kerberos 5 (k5admind v4 compatibility) daemons. The heimdal and krb5 ports were corrected as of October 24th, 2002. A vendor advisory is reported to be forthcoming.
MIT has released an advisory. Detailed patch information is available in the referenced advisory.
Apple has announced that the Kerberos Administration Daemon was included in Mac OS X 10.0, but was removed in Mac OS X versions 10.1 and later.
SuSE Linux versions 7.2 and ship with Heimdal Kerberos. However, Kerberos 4 support is not enabled.
Gentoo Linux has released an advisory and made fixes available. To update systems, Gentoo Linux users are advised to perform the following update procedures:
emerge rsync
emerge kth-krb
emerge heimdal
emerge clean
Sorcerer Linux has released an advisory and made fixes available. To update systems, Socerer Linux users are advise to perform the following update procedures:
augur synch
augur update
Debian has released Debian Security Advisory DSA 184-1 which addresses the issue for affected MIT Kerberos 4 packages.
Debian has released Debian Security Advisory DSA 185-1 which addresses the issue for affected Heimdal Kerberos packages. Information about obtaining fixes are available in the referenced advisory.
Conectiva Linux has released an advisory. Further information can be obtained from referenced advisory.
RedHat has released a security advisory which addressed the issue for affected MIT Kerberos 5 packages.
FreeBSD has released an advisory. Users are advised to update their ports tree and reinstall the heimdal or krb5 ports or to download and install a patch. Further, detailed information is available in the referenced advisory.
IBM has made APARs available to resolve this issue.
HP has released advisory HPSBTL0211-077 for HP Secure OS advising users to apply the fixes listed in Red Hat advisory RHSA-2002:242-06.
Fixes have been released which address this issue:

Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Symantec, Symantec products, Symantec Security Response, and secure@symantec.com are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.